SSL Certificate - IBM 


Installation Guide 


NIC 


accelerate your business 


Please select your version 


Installation Instructions for IBM AS 400 / iSeries server 


Installation Instructions for IBM HTTP Server running IKEYMAN GUI 


Installation Instructions for IBM WebSphere using IKEYMAN GUI (Version 7) 


Installation Instructions for IBM Websphere using the command line 


Installation Instructions for IBM AS 400 / iSeries server 


Step 1: Download the Symantec Intermediate CA Certificate 

1. Download the Intermediate CA certificate from here 

2. Select the appropriate Intermediate CA certificate for your SSL Certificate type. 
3. Copy the Intermediate CA certificate and paste it on a Notepad. 
4 


Save the file as intermediate.txt 


Step 2: Install the Symantec Intermediate CA Certificate 
1. Start Digital Certificate Manager (DCM). 
2. From navigation panel, click Select a Certificate Store > select SYSTEM 


Digital Certificate Manager 


Select a Certificate Store 


Select the certificate store that you want to open. 


© Local Certificate Authority (CA) 


Select a Certificate Store {e} “SYSTEM 


_| © Other System Certificate Store 


ETE 


3. Enter in password for Certificate Store > click Continue 
4. From navigation panel, select Manage Certificates 


5. From the list, select Import Certificate > Certificate Authority (CA) > click Continue 


Ei 


Digital Certificate Manager 


> Fast Pa Import Certificate 
tl Certificate store: *SYSTEM 
= Create New Certificate Store 
® Install Local CA Certificate on i . 
Your PC =| Select the type of certificate that you want to import. 
Manage Certificates x 3 
Eer s o Server or client 
o Renew certificate {sì Certificate Authority (CA) 
* Import certificate 


* Export certificate 


6. On the next screen, specify the path and file name of intermediate ca certificate. This is 


the location and name of the intermediate ca file on the IFS of the iSeries. 


Example: The file is stored in the /home directory and the intermediate ca file was called 


'cert.txt you would put in a path and file name of /home/cert.txt. 


is ree z FEF 
| Digital Certificate Manager © 13: 
Collapse All 
P Fast Path Import Certificate Authority (CA) Certificate 
n Create Caniiiss Certificate type: Certificate Authority (CA) 
a Certificate store: *SYSTEM 
* Install Local CA Certificate on 
Your PC =| Specify the fully qualified path and file name of the certificate that you want to import. 
is "Vi = ag Example path and file name: /MYDIRECTORY/MYFILE.EXT 
* Renew certificate Import file: /home/certtxt 
z = E 


7. Click Continue 
8. Create a CA certificate label. This can be any name desired as long as it is unique (should 


not match any labels for any other certificates). 


Example: CA certificate label: Certificate Authority Name 


|S) 


Digital Certificate Manager 
Collapse All 
> Fast Path Import Certificate Authority (CA) Certificate 
tr ni Certificate type: Certificate Authority (CA) 
* Create New Certificate Store Certificate store: *SYSTEM 
a Install Local CA Certificate on 
Your PC 3 
SUELEN Specify a label for the certificate. 
* View certificate 
® Renew certificate CA certificate label: Certificate Authority Name 
* Import certificate E 
teneo 
* Delete certificate 


9. Click Continue 


10. A message stating the intermediate ca certificate has been imported. Click OK 


Digital Certificate Manager © IBM. 
lapse 

P Fast Path Import Certificate Authority (CA) Certificate 

® Create Certificate Message E ifi os been i 

* Create New Certificate Store 

= c TS Use the Manage Applications task if you want to specify that applications trust 
Your PC - this Certificate Authority (CA). 

V Manage Certificates 
* View certificate Cok] 


Step 3: Obtain the SSL Certificate 


1. The Symantec certificate will be sent by email. The certificate is included as an 


attachment (Cert.cer) and it is also imbedded in the body of the email. 
Copy and paste the certificate into a text file using Vi or Notepad 
The text file should look like: 


3. Save the file with extansion .txt 


Step 4: Install the SSL Certificate 

Start Digital Certificate Manager (DCM). 

From navigation panel, click Select a Certificate Store > select *SYSTEM 
Enter in password for Certificate Store > click Continue 

From navigation panel, select Manage Certificates 

From the list, select Import Certificate > select Server or Client 


Select the certificate file and complete wizard 


AOS GA d (Qe p o 


Verify certificate installation using the Symantec Installation Checker. 


Installation Instructions for IBM HTTP Server running IKEYMAN GUI 


Step 1: Download the Symantec Intermediate CA Certificate 


1. 
2. 
3. 
4. 


Download the Intermediate CA certificate. 
Select the appropriate Intermediate CA certificate for your SSL Certificate type. 
Copy the Intermediate CA certificate and paste it on a Notepad. 


Save the file as intermediate.cer 


Step 2: Install Symantec Intermediate CA Certificate 


l. 


Qu dS gee X ES 


8. 
9. 


Start the key management utility (Keyman): 


On Windows: Go to the start UI and select Start Key Management Utility 


On AIX, Linux or Solaris: Type ikeyman on the command line 


Open the key database file that was used to create the certificate request. 

Enter the password, then click OK. 

Click on the "down arrow" to the right, to display a list of three choices. 

Select Signer Certificates, then click Add. 

Click Data Type and select a data type, such as Base64-encoded ASCII data. 

NOTE: This data type must match the data type of the importing certificate. 

Enter a file name and location for intermediate.cer digital certificate or click Browse to 
select a file name and location. 

Click OK. 


Enter a label for importing certificate, for example: Intermediate CA 


10. Click OK. 


11. The Signer Certificates field displays the label of the signer certificate you added. 


Step 3: Obtain the SSL Certificate 


1. 


The Symantec certificate will be sent by email. The certificate is included as an 
attachment (Cert.cer) and it is also imbedded in the body of the email. 

Copy and paste the certificate into a text file using Vi or Notepad 

The text file should look like: 


3. 


Step 4: Install the SSL Certificate 
1. 


3. Click on the "down arrow" to the right, to display a list of three choices 


Save the file with extension .cer 


Open the .kdb file using the iKeyman utility: 


On Windows: Go to the start UI and select Start Key Management Utility 


On AIX, Linux or Solaris: Type ikeyman on the command line 


In the middle of the iKeyman GUI you will see a section called Key database content 


Select Personal Certificates 


Key database content 


= 
=: 
[v 
E 


5. 


From the Personal Certificates section, click Receive 


- 


DB-Type: CMS key database file l 
File Name: CAProgram FilesUBM HTTP Servertsshtest kdb 


Key database content 


Receive the certificate you requested 


7. 
8. 


Browse to the directory that contains the .cert or .arm file 


Highlight the file and click Open. 


9. Now click OK on this dialog box 


Receive Certificate from a File 


Data ype [Basebtencoded ASCH data ~ | 
Certificate file name: etresponnseam— .FFFFFFFTFTFTFFFF O O 
Location: ÍCiProgramFiles/.BMHTTPSemenssh — = | 
ful EECCOE] 


Step 5. Transfer Certificate 


1. 


To extract an SSL certificate from a key database file and store it in a CA key ring file, 


start the iKeyman graphical user interface 


Run following command: 


On Windows: strmgikm 


On UNIX: gsk7ikm 


Choose Open from the Key Database File menu. Click Key database type, and 
select CMS. 

Click Browse to navigate to the directory containing the key database files 

Select the key database file to which you want to add the certificate. For example, 
key.kdb. 

Click Open 

In the Password Prompt window, type the password you set when you created the key 
database and then click OK. 

Select Signer Certificates in the Key database content field, and then select the 
certificate you want to extract. 


Click Extract. 


. Select the Data type of the certificate. For example, Base64-encoded ASCII 
. Click Browse to select the name and location of the certificate file name. 
. Click OK. The certificate is written to the file you specified. 


. Verify certificate installation using the Symantec Installation Checker. 


Installation Instructions for IBM WebSphere using IKEYMAN 
GUI (Version 7) 


Step 1: Download the Symantec Intermediate CA Certificate 


1. Download the Intermediate CA certificate. 
Select the appropriate Intermediate CA certificate for your SSL Certificate type. 


2. Copy the Intermediate CA certificate and paste it on a Notepad. 


Save the file as intermediate.cer 


Step 2: Install Symantec Intermediate CA Certificate 


1. Start the key management utility (iKeyman): 


On Windows: Go to the start UI and select Start Key Management Utility 


[21 IBM Key Management - [C:\HTTPServer Test\test.kdb] 
Key Database File Create View Help 


IE 3E: Ten] 


De 


Key database information 


DB-Type: CMS 


File Name: CAHTTPServerTestitest kdb 
Token Label: 
Key database content 
‘Signer Certificates Z Add... 
primary CA Delete 
.Î| Admin View/Edit... 
Extract... 
e Internet @ Set Program Access and Defaults 
Internet Explorer 
: ' W Windows Catalog Populate... 
i^ E-mail : d 
Gi Outlook Express Ab Windows Update Rename 
@ Accessories 
a Notepad e Games 
©) Startup 
e IBM Key Managemer a 
@ Internet Explorer 
N Start Admin Server [| ‘WH MSN Explorer 
(GQ) Outlook Express 
@ Mozilla Firefox (Safe | © Remote Assistance 
© windows Media Player 
@ Set Program Access 
Defaults dB Windows Messenger Ny, Start Admin Server 
@) Mozilla Firefox 
“N MSN Explorer e N 
(E) eToken [a] silty 
(È) IBM WebSphere M “Stop Admin Server 
AllPrograms È | fai IBMHTTP 0 ‘Ng. Stop HTTP Server 
———————— 
[Bh too oF [5] run 
R) 4:17PM 


[E] IBM Key Management... 


start e fi HTTP: 


On AIX, Linux or Solaris: Type ikeyman on the command line 


2. Open the key database file that was used to create the certificate request. 


IBM Key Management - [C:\HTTPServerTest\test.kdb] 
Key Database File Create View Help 


Dag ES 


Key database information 


DB-Type: CMS 

File Name: CAHTTPServerTestitest kdb 

Token Label: 

Key database content 
Personal Certificate Requests New... 
Delete 

Key database type |CMS [CÀ HTTPServerTest — 
File Name: key.kdb O test.kdb Extract... 
Location: ICAHTTPServerTesti 


Ce] 


File Name: itest.kdb 


Files of Type: Key database type (*.kdb) 


he requested action has successfully completed! 


3. Enter the password, then click OK. 


5 IBM Key Management \HTTPServerTest\test.kdb] 


Key Database File Create View Help 


D M EmSÓ 


Key database information 


DB-Type: CMS 

File Name: CAHTTPServerTestitest kdb 

Token Label: 

Key database content 

Personal Certificate Requests hd New... 

\incent.symantec.com Delete 
View 

Password Prompt BR) Extract... 


Password: |eceeeeee| 


fine requested action has successfully completed! 


[8] IBM Key Manag 


4. Select Signer Certificates, then click Add. 


(al BM Key Management - [C:\HTTPServerTestMtest.kdb] 


Key Database File Create View Help 


Iz] 
DI 


Key database information 


DB-Type: CMS 


File Name: CAHTTPServerTeshitest kdb 
Token Label: 
Key database content 
Personal Certificate Requests v New... 
[Personal Certificates 
sc Delete 
Personal Certificate Requests 
View 
Extract... 


f he requested action has successfully completed! 


5. Click Files of Type and select All Files. 
6. Enter a file name and location for intermediate.cer digital certificate or click Browse to 


select a file name and location. 


a Key Management - [C:\HTTPServerTest\test.kdb] 


Key Database File Create View Help 


Dg 


Key database information 


DB-Type: CMS 
File Name: CAHTTPServerTeshtest kdb, 
Token Label: 


Signer Certificates z Add... 
Look In: | HTTPServerTest 
Delete 
C) certreq.arm 
ü View/Edit... 
[3 primary.cer 
D secondary.cer Extract... 
[5 test.kdb 
[^ test.rdb Populate. 
D test.sth Rename 


File Name: iprimary.cer 


Files of Type: (All Files 


f he requested action has successfully completed! 
est emei 


‘A | Start Key Manageme. 


7. Click OK. 


8. Enter a label for importing certificate, for example: Intermediate CA 


[21 IBM Key Management - [C:\HTTPServer Test\test.kdb] 


Key Database File Create View Help 


HACHE 


Key database information 


DB-Type: CMS 
File Name: CAHTTPServerTestitest.kdb 
Token Label: 
Key database content 
Signer Certificates Z Add... 
Delete 
View Edit... 
Enter a Label Extract... | 
- alabelfor the certificate: — Docnisi sn 
l Eo] Cancel Rename 


f he requested action has successfully completed! 


[A] IBM Key Management, 


7. Click OK. 
8. The Signer Certificates field displays the label of the signer certificate you added. 


Step 3: Obtain the SSL Certificate 

1. The Symantec certificate will be sent by email. The certificate is included as an 
attachment (Cert.cer) and it is also imbedded in the body of the email. 

2. Copy and paste the certificate into a text file using Vi or Notepad 
The text file should look like: 


3. Save the file with extension .cer 


Step 4: Install the SSL Certificate 


1. 


di 


Start the key management utility (iKeyman): 


On Windows: Go to the start UI and select Start Key Management Utility 


uU IBM Key Management - [C:\HTTPServerTest\test.kdb] 


SS DOC 


DB-Type: CMS 
File Name: CAHTTPServerTeshtest kdb 
Token Label: 


| 


Key database information 


Key database content 


‘Signer Certificates LA Add. 
primary CA Delete 
View Edit... 
Extract... 
é Internet @ Set Program Access and Defaults 
Internet Explore 
dia W Windows Catalog Populate... 
E-mail 
2 Outlook Express A Windows Update Rename 


@ Accessories » 
(E) Games » 
@ Startup LI 
iB) Internet Explorer 
Wi MSN Explorer 

(Q) Outlook Express 


e IBM Key Managemet 
N Start Admin Server 


@ Mozilla Firefox (Safe f p2 Remote Assistance 


© Windows Media Player 
Set Program Access 
Defaults 4B Windows Messenger 


“Start Admin Server 
(E) Mozilla Firefox ri N Start HTTP Server 
MSN Explorer 


@ eToken DI (A) start Key Management Utility 


(@ 18M WebSphere MQ » [| N, Stop Admin Server 
All Programs | fgg IBMHTTP [NI N Stop HTTP Server 
——____—_— 


On AIX, Linux or Solaris: Type ikeyman on the command line 


Choose Open from the Key Database File menu. Click Key database type, and 
select CMS. 


|Z.. IBM Key Management - [C:\HTTPServer Test\test.kdb] 
Key Database File Create View Help 


B 


HA 


* 


Key database information 


DB-Type: CMS 
File Name: CAHTTPServerTeshitest kdb 
Token Label: 


Key database content 
Personal Certificate Requests New... 
Delete 
HTTPServerTest 
Key database type m View 
File Name: Key.kdb. Extract... 
Location: CAHTTPServerTestt 


File Name: 
Files of Type: 


test kdb 


Key database type (*.kdb) hA 


Cancel 


he requested action has successfully completed! 


[E] 18M Key Management 


Click Browse to navigate to the directory containing the key database files. 

4. Select the key database file to which you want to add the certificate. For example, 
key.kdb. 

5. Click Open 

6. In the Password Prompt window, type the password you set when you created the key 


database and then click OK. 


+. IBM Key Management :\HTTPServerTest\test.kdb] 


Key Database File Create View Help 


pelat RE 


Key database information 


DB-Type: CMS 

File Name: CAHTTPServerTeshitest kdb 

Token Label: 

Key database content 

[Personal Certificate Requests v New... 

\vincent.symantec.com Delete 
View 

Password Prompt CI Extract... 


Password: [eeeeeeee| 


f he requested action has successfully completed! 


7. Select the Personal Certificates view. 


Server Test\test.kdb] 


Key Database File Create View Help 


BACO 


Key database information 


DB-Type: CMS 
File Name: CAHTTPSererTestitest kdb 
Token Label: 
Key database content 
PersonalCertiiestes / [v Receive.. 
igner Certificates Delete 
ersonal Certificate Requests 
View Edit... 
Import... 


Recreate Request... 


Rename 


New Self-Signed... 


Extract Certificate... 


f he requested action has successfully completed! 


8. Click Receive 


+. IBM Key Management :\HTTPServerTest\test.kdb] 


Key Database File Create View Help 


Da EL 


Key database information 


DB-Type: CMS 

File Name: CAHTTPServerTeshitest kdb 

Token Label: 

Key database content 
Personal Certificates X Receive... 
Delete 
View Edit... 
Import... 


certam 


Recreate Request... 


CAHTTPServerTestt 


Co] = 


New Self-Signed... 


Extract Certificate... 


f he requested action has successfully completed! 


ì | Start Key Manageme. [BL] IBM Key Management 


9. Click Browse to select the name and location of the certificate file name. 


IBM Key Management :\HT PServer Test\test.kdb] 


Key Database File Create View Help 


Dag SR Oe 


Key database information 


DB-Type: CMS 
File Name: CAHTTPServerTeshitest kdb 
Token Label: 
Key database content 
Personal Certificates =, Receive... 
Delete 
View Edit... 
Lookin: |[-HTTPServerTest 
Import... 
[3 certreq.arm 
D primary.cer Recreate Request... 
D secondary.cer 
Rename 
File Name: certam 
Files of Type: Key file type (*.cer, *.arm, *.ber, *.der, *.eml) 
New Self-Signed... 
Extract Certificate... 


f he requested action has successfully completed! 


Start Key Manageme. A] IBM Key Management: 


10. Click OK 


11. Verify certificate installation using the Symantec Installation Checker. 


Installation Instructions for IBM Websphere using the command 


line 


Step 1: Download the Symantec Intermediate CA Certificate 

1. Download the Intermediate CA certificate. 

2. Select the appropriate Intermediate CA certificate for your SSL Certificate type. 
3. Copy the Intermediate CA certificate and paste it on a Notepad. 
4. 


Save the file as intermediate.cer 


Step 2: Install Symantec Intermediate CA Certificate 


1. Run following command to add the intermediate.cer into the key database: 


For UNIX: 


gsk7cmd -cert -add -db filename -pw password -label label -file filename -format 


ascii 
For Windows: 


runmqckm -cert -add -db filename -pw password -extensionel -file filename -format 

ascii 

e -db filename is the fully qualified file name of a CMS key database, for example: 
dbkey.kdb 

e -pw password is the password for the CMS key database with an extansion .cms 

e -label is the key label attached to the certificate, for example: 
"ibmwebspheremqqmname" 

e -file filename is the fully qualified file name of the file containing the Intermediate 
CA certificate, for example intermediate.cer 

e -format ascii is the format of the certificate. The value can be ascii for Base64- 


encoded ASCII. The default is ascii. 


Step 3: Obtain the SSL Certificate 


1. 


The Symantec certificate will be sent by email. The certificate is included as an 


attachment (Cert.cer) and it is also imbedded in the body of the email. 


2. Copy and paste the certificate into a text file using Vi or Notepad 


The text file should look like: 


3. Save the file with extension .cer 


Step 4: Install the SSL Certificate 


1. 


To install a certificate in iKeycmd (using UNIX command line), run following command: 


For UNIX: 


gsk7cmd -cert -receive -file filename -db filename -pw password -format ascii 


For Windows: 


runmqckm -cert -receive -file filename -db filename -pw password -format ascii 

e -file filename is the fully qualified file name of the file containing the personal 
certificate. 

e -db filename is the fully qualified file name of a CMS key database, for example: 
dbkey.kdb 

e -pw password is the password for the CMS key database with an extansion .cms 

e -label is the key label attached to the certificate, for example: 


"ibmwebspheremqqmname" 


-format ascii is the format of the certificate. The value can be ascii for Base64- 


encoded ASCII. The default is ascii. 


Steps 5: Extract SSL Certificate 


1. To extract a certificate in i:Keycmd, run following command: 


For UNIX: 


gsk7cmd -cert -extract -db filename -pw password -label label -target filename - 


format ascii 


For Windows 


runmqckm -cert -extract -db filename -pw password -label label -target filename - 


format ascii 


-db filename is the fully qualified pathname of a CMS key database. 

-pw password is the password for the CMS key database with an extansion .cms 
-label label is the label attached to the certificate. 

-target filename is the name of the destination file 

-format ascii is the format of the certificate. The value can be ascii for Base64- 


encoded ASCII. The default is asci. 


2. Verify certificate installation using the Symantec Installation Checker. 


